Brexit and GDPR: What should you do now about EU to UK transfers of personal data? (And other related issues)

28 November 2018

There has been much discussion about the impact of Brexit on a company’s personal data flows in and out of the European Union post Brexit.

Whilst there is time to develop your approach once the final position is known, there are various actions companies may want to consider now in order to prepare themselves for when the final “deal” is agreed (or not agreed as the case may be).

Transfers

The Withdrawal Agreement and Future Relationship

The Withdrawal Agreement and Future Relationship document are very clear on data protection issues:

There will be no immediate restriction of data transfers EU>UK when the UK leaves the EU on 29 March 2019. The draft Withdrawal Agreement makes clear that EU data protection law will continue to apply generally in the UK during the transition period (although see below regarding a carve out for the Information Commissioner’s Office (“ICO”) involvement at an EU wide level).

The draft Future Relationship document (as of 22 November 2018) sets out an assumption that the UK will seek an adequacy decision from 30 March 2019 and that this will be granted from 1 January 2021 (i.e. the day after end of transition period). “…the EC will start assessments with respect to the UK[‘s data protection adequacy] as soon as possible after the UK’s withdrawal, endeavouring to adopt decisions by the end of 2020…”” (see below for comments on whether adequacy will be achieved).

If the Withdrawal Agreement goes through and the data protection relationship envisaged by the Future Relationship document comes to pass, then the UK will never be “outside” the “safe” transfer bubble at any point and EU>UK transfers will be unaffected.

As such, arguably, if you are confident the Withdrawal Agreement is going to pass (or at least some form of agreed transition period which will likely include similar provisions on personal data), you do not need to do anything now about EU>UK transfers. You can then watch what happens regarding the EC’s assessments of adequacy from March 2019 to December 2020 and make decisions accordingly.

Please note our advice re intra-“bubble” transfers is still that a data sharing agreement is put in place - although we understand that many companies across the EU do not bother formally documenting intra-EU or adequacy decision country transfers.

“No-deal”?

Even in the event of a so called “no-deal” Brexit, this is not an insurmountable issue.

Intra group?

As part of their GDPR compliance actions data controllers should already be aware of their data flows around the EU and the world, including EU>UK data flows.

Many of these controllers will also already have sophisticated intra-group transfer mechanisms in place covering both intra- and extra-EU data flows. These companies have already mapped their data flows, so adding the post Brexit UK in a different capacity into their intra group agreements should be a relatively straightforward task. For example, if you already send data to Australia from France via an intra-group standard contractual clauses (“SCC”) mechanism, broadly you need to do the same for your UK entities or simply add these UK entities to an existing agreement.

For those entities that have not yet mapped their data flows intra group, then a first step (and really one that should have taken place already regardless of Brexit) is to map flows of data from the EU>UK. If a “no-deal” Brexit really looks likely towards the middle of Q1 then either simple group SCCs or more sophisticated intra-group agreements can be put in place to ensure EU>UK data flows are still valid and lawful from 29 March 2019.

Third party processors? (And third party controllers?)

In terms of controller to processor relationships, many UK processors do receive personal data from the EU. Again, they should already know which of their clients send them data from the EU, and it is likely that controller to processor terms reflect this – so if a “no-deal” Brexit happens then the parties will put in place adequate safeguards for EU>UK transfers as necessary. It is then not an arduous or particularly onerous task to put in place SCCs, although commercially the other party may take the opportunity to renegotiate other terms.

From a controller to controller perspective, it may be necessary (as with “intra group” transfers) to put in place model clauses where previously they were not required.

Future developments: A note of caution…

On a more negative note, Max Schrems’s challenge to SCCs will be heard by the Court of Justice of the European Union in the next 6-12 months. The Court might as a consequence strike down SCCs as a valid transfer mechanism.

Further, the SCCs themselves have not been updated for GDPR compliance. New versions should be released by the EC in the near future (but “near” could easily mean 12-24 months).

This means that use of the current SCC model could result in future changes being required, either as a result of the Schrems decision or when the EC change them (although one assumes grandfathering provisions will apply). But if this happens, it will not just be UK companies that are concerned but many 100,000s of global companies as well. The EU will essentially be closing its borders to data and the main victim will be consumers with regards to their access to, for instance, US providers – as such it seems unlikely this will happen.

An exploitable chink?

Please note the ICO’s paper on extra-EU transfers also contains an idea that data transfer restrictions under the GDPR do not apply where the recipient of personal data is directly bound by the GDPR. If this is correct, then both a “no deal” or “orderly” Brexit are irrelevant – as the majority of processing by UK companies will be covered by the GDPR (either under Article 3(1) or 3(2) or even, arguably, just by virtue of the fact that the UK has incorporated GDPR into its domestic law) then no transfer mechanisms will need to be put in place.

The European Data Protection Board (“EDPB”) is releasing their own draft guidance on data transfers shortly – let’s hope they follow the ICO’s lead.

Will Adequacy be granted?

Even in the event of a “no deal”, the UK will still seek an adequacy decision from the EC (as envisaged by the Future Relationship document).

This will of course take time, meaning some of the “no deal” actions set out above may have to be put in place. Further there is no guarantee that the UK will be adjudged as having adequate data protection standards. The main worry discussed by some commentators is over the width of the Investigatory Powers Act - i.e. can security and police forces look too easily at our personal data in the UK?

However, these worries are overblown in our opinion.

The UK has a thorough data protection regime; it has a well-respected and well-resourced supervisory authority; and in addition it has recently signed up to the modernised version of the Council of Europe’s Convention 108 on data protection. Adherence to this Convention is something specifically mentioned in the recitals to the GDPR as having an impact on whether a third country is adjudged adequate, Recital 105 stating, “…The Commission should take account of obligations arising from the third country’s participation in multilateral or regional systems in particular in relation to the protection of personal data, as well as the implementation of such obligations. In particular, the third country’s accession to [the Council of Europe Convention 108] and its Additional Protocol should be taken into account…” In relation to the Investigatory Powers Act a number of other countries who have been adjudged as adequate have similar, or much wider, powers of surveillance (e.g. Israel). Even Canada, another “adequate” third country, has wide powers. Finally, the UK has a body of over seventy people, headed by the Investigatory Powers Commissioner, whose sole purpose is to oversee use of the Investigatory Powers Act by security agencies.

As such, whilst there are no guarantees, it would seem unlikely that the UK would not be granted an adequacy decision at some point after its exit from the EU.

What about UK to EU transfers?

The UK Government has taken a resoundingly pragmatic approach to this issue, simply setting out in their “no deal” paper on data protection that:

“You would continue to be able to send personal data from the UK to the EU. In recognition of the unprecedented degree of alignment between the UK and EU’s data protection regimes, the UK would at the point of exit continue to allow the free flow of personal data from the UK to the EU. The UK would keep this under review.”

LSA, one stop shop and EU representatives

The draft Withdrawal Agreement contains a carve-out for the co-operation and consistency mechanism which means that the UK will not participate in the EDPB and nor will the ICO be able to be a Lead Supervisory Authority (“LSA”) for cross border data issues. The Future Relationship document perhaps contains hope on this in its last paragraph on data protection, stating “…the Parties should also make arrangements for appropriate cooperation between regulators”. Both the ICO and the EDPB are equally keen to keep the ICO actively engaged as a member of the EDPB. Giovanni Buttarelli, the European Data Protection Supervisor, said last month that it is his aim to “arrange the architecture to find a solution” to keep the ICO actively engaged with the EDPB. Even in mid-November, Wojciech Wiewiórowski, Assistant European Data Protection Supervisor, said “we are open to different kinds of inventive solutions”.

But at present any controller or processor that regards the ICO as its LSA under Article 56 GDPR (possibly in some cases even having gone so far as to notify the ICO of such a view) needs to re-consider which EU supervisory authority is their LSA.

Similarly, any controller or processor utilizing UK based EU representatives under Article 27 will need to change their approach, i.e. designate a different representative in the EU and update documents (e.g. privacy notices, Article 30 records) as necessary.

This approach is disappointing as some had hoped the EC would show creativity and allow the ICO a greater role in the EU’s data protection infrastructure from the get go, i.e. in the Withdrawal Agreement itself. Indeed, many supervisory authorities would have welcomed such creativity, especially as the ICO is easily the best resourced authority in Europe. Instead the ICO is being shut out even more than the EEA countries (e.g. Norway participates in the EDPB but does not have voting rights). However disappointing, this might change in a future deal, and in any event it is not a cataclysm. As with the EU>UK transfer issue, is not something which should generate panic. Reconsidering the LSA issue and EU representative issues is not an arduous task.

Summary

In summary:

Watch this space! But…

Transfer

Don’t panic, review your EU>UK data flows (If you would like us to assist you with this then please see the contact details below)

Hope for the best in terms of a deal, but know if the worst happens the issues are not insurmountable (i.e. EU>UK sharing mechanisms are not that complex to put in place)

One stop shop

Review your LSA analysis if you have designated the ICO as your LSA.

Review your Article 27 obligations if you have chosen EU representatives in the UK.

We are happy to assist you in devising a strategy when the final position of the “deal” is known.